Chicago_Guy
asked on
Need help cleaning a system of Malware/Virus/Bad things
Hello All,
Been working on a friends computer for awhile now. Its running Windows XP Home. It had/has multiple infections of various types. Ran Malwarebytes and installed Norton Security, both of which found multiple items and cleaned them. Also ran Microsoft Malicious Software Removal tool. I am at the point that the scanners are coming back as clean, but there is still somthing left or there is damage to XP that needs to be fixed. I just found a way back into safe mode, which I was blocked out until I found a post that had a registry file to use to get into it. Running Malwarebytes full scan again at the moment. I believe the Administrator account was also disabled, and I still need a way to fix that.
I realize I need to probably post a Hijackthis log or somthing for you all to look at. Will do in a few hours after I sleep a bit and the MB scan finishes. Until then, any general suggestions to start with at this point.
Of course all help will be greatly appriciated.
Been working on a friends computer for awhile now. Its running Windows XP Home. It had/has multiple infections of various types. Ran Malwarebytes and installed Norton Security, both of which found multiple items and cleaned them. Also ran Microsoft Malicious Software Removal tool. I am at the point that the scanners are coming back as clean, but there is still somthing left or there is damage to XP that needs to be fixed. I just found a way back into safe mode, which I was blocked out until I found a post that had a registry file to use to get into it. Running Malwarebytes full scan again at the moment. I believe the Administrator account was also disabled, and I still need a way to fix that.
I realize I need to probably post a Hijackthis log or somthing for you all to look at. Will do in a few hours after I sleep a bit and the MB scan finishes. Until then, any general suggestions to start with at this point.
Of course all help will be greatly appriciated.
Try to do a system restore to couple of days before the system was infected and then scan computer again.
I know it's not always feasible but would it not be easier just to back up his files and reformat the machine? it sounds like you spent quite a few hours working on it and the end result will be "clean" but is there any other damage?. I would format/install/update and protect. When i say update that means update everything not just Windows. Flash and Adobe reader are the most vulnerable apps at the moment
I've seem many infected systems. download and run tdskiller and superantispyware.
If combofix, tdskiller, nortons, malwarebytes and superantispyware don;t work, then you are probably better off in the long run backing up all data files, performing a clean install and copyinh on your user files.
If combofix, tdskiller, nortons, malwarebytes and superantispyware don;t work, then you are probably better off in the long run backing up all data files, performing a clean install and copyinh on your user files.
Also use spybot
I tend to agree with the above comments regarding reformatting and starting from scratch.
Figuring an hour to reinstall XP, two hours to install all the updates, another hour to configure it to the user's liking, and half an hour for each application installed. When you hit the eight hour mark trying to repair, it's probably more sensible to start over.
There will be guaranteed good results with a clean install. There won't be guaranteed good results cleaning up a heavily infested system, and at any time something unpleasant may pop up that renders the system unusable.
A side benefit of doing a clean install is that the unhappy loss of settings, customizations and whatnot may prompt the owner to be more careful in the future.
fwiw: I've never seen a system operate correctly with Norton installed. Suggest a different antivirus such as AVG.
Figuring an hour to reinstall XP, two hours to install all the updates, another hour to configure it to the user's liking, and half an hour for each application installed. When you hit the eight hour mark trying to repair, it's probably more sensible to start over.
There will be guaranteed good results with a clean install. There won't be guaranteed good results cleaning up a heavily infested system, and at any time something unpleasant may pop up that renders the system unusable.
A side benefit of doing a clean install is that the unhappy loss of settings, customizations and whatnot may prompt the owner to be more careful in the future.
fwiw: I've never seen a system operate correctly with Norton installed. Suggest a different antivirus such as AVG.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yeah, I agree with you all that a wipe and reinstall would be best, but this is my friend's business computer if it can be fixed without it, I have to try to.
Ok, in safe mode Malwarebytes on full scan found nothing.
Ran TDSKiller, found nothing.
Running SuperAntiSpyware, it says it has found 300 tracking cookies, and Trojan.Agent/Gen-Cryptor[E gun]. Scan still running.
With combofix, can I post the log here or should I use bleepingcomputer? Lots of warnings about "using it without supervision". I am not a novice, but I have never used combofix before.
Thank you all for the help so far!
Ok, in safe mode Malwarebytes on full scan found nothing.
Ran TDSKiller, found nothing.
Running SuperAntiSpyware, it says it has found 300 tracking cookies, and Trojan.Agent/Gen-Cryptor[E
With combofix, can I post the log here or should I use bleepingcomputer? Lots of warnings about "using it without supervision". I am not a novice, but I have never used combofix before.
Thank you all for the help so far!
Pointed question to ask your friend:
"Since this system is your business computer, and it is used to keep your business running, which is presumably important, and the system didn't infect itself, whose carelessness let all these things get into your system?"
"Since this system is your business computer, and it is used to keep your business running, which is presumably important, and the system didn't infect itself, whose carelessness let all these things get into your system?"
Do not run malwarebytes or tdsskiller in safe mode, do them (and combofix) in regular mode.
As far as the pointed question, I agree, but that is why you license Malwarebytes and run it in protected mode. It will not let you go to websites with possible malware on it.
Thanks,
Kelly W.
As far as the pointed question, I agree, but that is why you license Malwarebytes and run it in protected mode. It will not let you go to websites with possible malware on it.
Thanks,
Kelly W.
ASKER
DrKlahn - I fully agree, and it has been discussed at length. Now I am picking up the pieces.
And yes he will hopefully owe me (and of course all of you) big time.
Ok, SuperAntiSpyware supposedly has taken care of Trojan.Agent/Gen-Cryptor[E gun].
Going to reboot and do scans in normal mode
And yes he will hopefully owe me (and of course all of you) big time.
Ok, SuperAntiSpyware supposedly has taken care of Trojan.Agent/Gen-Cryptor[E
Going to reboot and do scans in normal mode
ASKER
Ok, ran TDSKiller in normal mode, it found nothing.
Running Malwarebytes full scan now, so far nothing.
Other issues:
I was able to log on as the administrator, but I am getting "an access denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes" when trying to change settings in MSconfig
Also, automatic updates is disabled, configuration window is greyed out even on administrator account.
Is there anything that will take care of those issues?
Running Malwarebytes full scan now, so far nothing.
Other issues:
I was able to log on as the administrator, but I am getting "an access denied error was returned while attempting to change a service. You may need to log on using an Administrator account to make the specified changes" when trying to change settings in MSconfig
Also, automatic updates is disabled, configuration window is greyed out even on administrator account.
Is there anything that will take care of those issues?
Run combofix found here:
http://www.bleepingcomputer.com/download/anti-virus/combofix
Let it do it's thing. It might take a while to run fully.
Thanks,
Kelly W.
http://www.bleepingcomputer.com/download/anti-virus/combofix
Let it do it's thing. It might take a while to run fully.
Thanks,
Kelly W.
ASKER
Ok, ran combofix,
still can not enable automatic updates,
here is the log, and after that a hijackthis log as well:
ComboFix 11-09-02.04 - JJAdmin 09/02/2011 18:07:08.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18. 2037.1340 [GMT -5:00]
Running from: c:\documents and settings\JJAdmin\Desktop\C omboFix.ex e
AV: Live Security Suite *Disabled/Updated* {F5BECBCD-2BE5-47BA-A5C6-F 4E8AEC7EDF 0}
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-9 2431C1C35F 8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A 6E19C16F22 0}
.
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
.
c:\documents and settings\mrfec\20050617143 850734_SF- 555P_print _eng.exe
c:\documents and settings\mrfec\g2mdlhlpx.e xe
c:\documents and settings\mrfec\gosetup.exe
c:\documents and settings\mrfec\System
c:\documents and settings\mrfec\System\win_ qs8.jqx
c:\documents and settings\mrfec\WINDOWS
c:\progra~1\HEADLI~2\bar\1 .bin\29BAr .dll
c:\program files\HeadlineAlley_29\bar \1.bin\29B Ar.dll
c:\program files\HeadlineAlley_29\bar \1.bin\29S Rcas.dll
c:\program files\Object\bho_project.d ll
c:\windows\MailSwitch.ocx
c:\windows\system32\comct3 32.ocx
c:\windows\system32\restar t.exe
c:\windows\system32\win.in i
.
.
(((((((((((((((((((((((((( (((((((((( ((( Drivers/Services )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
.
-------\Legacy_MYWEBSEARCH SERVICE
-------\Legacy_WEBSERVER
.
.
((((((((((((((((((((((((( Files Created from 2011-08-02 to 2011-09-02 )))))))))))))))))))))))))) )))))
.
.
2011-09-02 22:17 . 2011-09-02 22:20 -------- dc----w- c:\documents and settings\JJAdmin
2011-08-29 14:28 . 2011-08-29 14:28 -------- d-----w- c:\program files\Defraggler
2011-08-28 22:48 . 2011-08-28 22:48 -------- d-----w- c:\program files\Trend Micro
2011-08-27 19:27 . 2010-07-26 18:42 52080 ----a-w- c:\windows\system32\Spool\ prtprocs\w 32x86\GoTo PrintProce ssor.dll
2011-08-27 19:27 . 2011-08-27 19:27 -------- dc----w- c:\documents and settings\All Users\Application Data\CitrixLogs
2011-08-27 19:27 . 2010-07-26 18:42 111472 ----a-w- c:\windows\system32\gotomo n.dll
2011-08-25 20:46 . 2011-08-25 20:46 -------- d-----w- c:\program files\Microsoft Analysis Services
2011-08-25 20:46 . 2011-08-25 20:52 -------- d-----w- c:\windows\SHELLNEW
2011-08-25 20:44 . 2011-08-25 20:44 -------- dc----r- C:\MSOCache
2011-08-24 23:46 . 2011-08-24 23:46 302592 --sha-w- C:\EUMONBMP.SYS
2011-08-24 23:43 . 2011-08-06 05:52 184072 ----a-w- c:\windows\system32\driver s\EuFdDisk .sys
2011-08-24 23:43 . 2011-08-06 05:52 16008 ----a-w- c:\windows\system32\driver s\eudskacs .sys
2011-08-24 23:43 . 2011-08-06 05:52 38920 ----a-w- c:\windows\system32\driver s\eubakup. sys
2011-08-24 23:43 . 2011-08-06 05:52 42376 ----a-w- c:\windows\system32\driver s\EUBKMON. sys
2011-08-24 23:41 . 2011-08-06 05:52 20616 ----a-w- c:\windows\system32\fbnati ve.exe
2011-08-24 23:41 . 2011-08-24 23:41 -------- d-----w- c:\program files\EaseUS
2011-08-23 14:25 . 2011-08-23 14:25 -------- dc----w- c:\documents and settings\All Users\Application Data\MemeoCommon
2011-08-23 14:24 . 2011-08-23 14:24 -------- d-----w- c:\documents and settings\LocalService\Loca l Settings\Application Data\ServiceTest
2011-08-23 14:23 . 2011-08-23 14:29 -------- d-----w- c:\program files\Memeo
2011-08-23 02:41 . 2011-07-07 00:52 41272 ----a-w- c:\windows\system32\driver s\mbamswis sarmy.sys
2011-08-23 02:41 . 2011-08-23 02:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-23 02:41 . 2011-07-07 00:52 22712 ----a-w- c:\windows\system32\driver s\mbam.sys
2011-08-23 02:01 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcac he\rdpwd.s ys
2011-08-23 02:01 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcac he\ndistap i.sys
2011-08-23 01:09 . 2011-08-23 01:09 -------- d-----w- c:\program files\Glary Utilities
2011-08-23 01:03 . 2011-08-23 01:03 -------- d-----w- c:\program files\CCleaner
2011-08-10 19:08 . 2011-08-10 19:08 -------- d-----w- c:\program files\W3i
.
.
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2011-09-02 22:12 . 2010-06-12 15:50 256 ----a-w- c:\documents and settings\mrfec\pool.bin
2011-07-15 13:29 . 2004-08-10 17:51 456320 ----a-w- c:\windows\system32\driver s\mrxsmb.s ys
2011-07-08 14:02 . 2004-08-10 17:51 10496 ----a-w- c:\windows\system32\driver s\ndistapi .sys
2011-07-07 18:08 . 2011-07-18 13:13 17280 ----a-w- c:\windows\system32\roboot .exe
2011-06-24 14:10 . 2004-08-10 18:01 139656 ----a-w- c:\windows\system32\driver s\rdpwd.sy s
2011-06-23 18:36 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\winine t.dll
2011-06-23 18:36 . 2004-08-10 17:51 43520 ------w- c:\windows\system32\licmgr 10.dll
2011-06-23 18:36 . 2004-08-10 17:51 1469440 ----a-w- c:\windows\system32\inetcp l.cpl
2011-06-23 12:05 . 2004-08-10 17:51 385024 ------w- c:\windows\system32\html.i ec
2011-06-20 17:44 . 2004-08-10 17:51 293376 ----a-w- c:\windows\system32\winsrv .dll
.
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Brow ser Helper Objects\{6F6A5334-78E9-4D9 B-8182-8B4 1EA8C39EF} ]
.
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.e xe" [2007-03-15 460784]
.
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"{0228e555-4f9c-4e35-a3ec- b109a192b4 c2}"="c:\p rogram files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449. 0\mswinext .exe" [2010-04-27 243544]
"Communicator"="c:\program files\Microsoft Lync\communicator.exe" [2011-07-21 12023568]
"HeadlineAlley_29 Browser Plugin Loader"="c:\progra~1\HEADL I~2\bar\1. bin\29brmo n.exe" [2011-04-05 27648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy. exe" [2007-03-09 63712]
"Nuance PDF Reader-reminder"="c:\progr am files\Nuance\PDF Reader\Ereg\Ereg.exe" [2010-07-05 333088]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"Logoff"="c:\program files\Windows SteadyState\SCTUINotify.ex e" [2008-05-30 163856]
"Bubble"="c:\program files\Windows SteadyState\Bubble.exe" [2008-05-30 182288]
"Synchronization Manager"="c:\windows\syste m32\mobsyn c.exe" [2008-04-14 143360]
"TkBellExe"="c:\program files\real\realplayer\upda te\realsch ed.exe" [2011-05-27 273544]
"Adobe ARM"="c:\program files\common files\adobe\arm\1.0\adobea rm.exe" [2011-06-06 937920]
"AdobeAAMUpdater-1.0"="c:\ program files\Common Files\Adobe\OOBE\PDApp\UWA \UpdaterSt artupUtili ty.exe" [2011-03-15 499608]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\Sw itchBoard. exe" [2010-02-19 517096]
"AdobeCS5.5ServiceManager" ="c:\progr am files\Common Files\Adobe\CS5.5ServiceMa nager\CS5. 5ServiceMa nager.exe" [2011-01-12 1523360]
"Adobe Reader Speed Launcher"="c:\program files\adobe\reader 10.0\reader\reader_sl.exe" [2011-06-06 35736]
"EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2011-08-06 70792]
"EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe" [2011-08-06 744072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe " [2009-09-05 417792]
.
[HKEY_USERS\.DEFAULT\Softw are\Micros oft\Window s\CurrentV ersion\Run Once]
"SWHelper"="c:\windows\sys tem32\Macr omed\Shock wave 8\PostUpdate.exe" [2010-08-05 53248]
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\poli cies\syste m]
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\softwa re\policie s\microsof t\windows\ windowsupd ate\au]
"NoAutoUpdate"= 1 (0x1)
.
[hkey_local_machine\softwa re\microso ft\windows \currentve rsion\expl orer\Shell ExecuteHoo ks]
"{56F9679E-7826-4C84-81F3- 532071A8BC C5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dl l" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\Go ToMyPC]
2010-07-26 18:42 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2Wi nLogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Saf eBoot\Mini mal\Window s SteadyState]
@="Service"
.
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^McAf ee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAf ee Security Scan Plus.lnk
backup=c:\windows\pss\McAf ee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^D ocuments and Settings^All Users^Start Menu^Programs^Startup^Wind ows Search.lnk]
backup=c:\windows\pss\Wind ows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^D ocuments and Settings^mrfec^Start Menu^Programs^Startup^Open Office.org 3.1.lnk]
backup=c:\windows\pss\Open Office.org 3.1.lnkStartup
HKEY_LOCAL_MACHINE\softwar e\microsof t\shared tools\msconfig\startupreg\ Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\softwar e\microsof t\shared tools\msconfig\startupreg\ AOLDialer
HKEY_LOCAL_MACHINE\softwar e\microsof t\shared tools\msconfig\startupreg\ HostManage r
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeA RM.exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ BlackBerry AutoUpdate ]
2010-03-11 03:32 648536 -c--a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ cdloader]
2011-05-16 12:50 50592 ----a-w- c:\documents and settings\mrfec\Application Data\mjusbsp\cdloader2.exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ctfmon.exe ]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon .exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ DellSuppor t]
2007-03-15 17:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.e xe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Google Desktop Search]
2010-01-07 17:10 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Google Updater]
2010-05-09 16:23 161336 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ googletalk ]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ISUSPM]
2007-08-30 15:50 205480 ----a-w- c:\program files\Common Files\InstallShield\Update Service\IS USPM.exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ ISUSPM Startup]
2007-08-30 15:50 205480 ----a-w- c:\progra~1\COMMON~1\INSTA L~1\UPDATE ~1\ISUSPM. exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ RoxWatchTr ay]
2008-09-19 15:37 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWa tchTray9.e xe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ SunJavaUpd ateSched]
2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ swg]
2008-04-13 19:17 68856 ----a-w- c:\program files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Synchroniz ation Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsyn c.exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ YMailAdvis or]
2008-06-05 22:06 125208 ----a-w- c:\program files\Yahoo!\Common\YMailA dvisor.exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ {0228e555- 4f9c-4e35- a3ec-b109a 192b4c2}]
2005-07-15 21:48 479232 ----a-w- c:\program files\Google\Gmail Notifier\gnotify.exe
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\services]
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\securit y center]
"AVPath"="\\\\.\\root\\Sec urityCente r:AntiViru sProduct.i nstanceGui d=\"{F5BEC BCD-2BE5-4 7BA-A5C6-F 4E8AEC7EDF 0}\""
.
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"c:\\WINDOWS\\system32\\se ssmgr.exe" =
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUpnpService9.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody. exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.e xe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSyn c.exe"=
"c:\\Documents and Settings\\mrfec\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.e xe"=
"c:\\Program Files\\Bonjour\\mDNSRespon der.exe"=
"c:\\Program Files\\Microsoft Lync\\UcMapi.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE. EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK. EXE"=
"c:\\Documents and Settings\\mrfec\\Applicati on Data\\mjusbsp\\magicJack.e xe"=
"c:\\Program Files\\Microsoft Lync\\communicator.exe"=
.
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Glob allyOpenPo rts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2 res.dll,-2 2009
"8085:TCP"= 8085:TCP:HASP Port
.
R0 EUBAKUP;EUBAKUP;c:\windows \system32\ drivers\eu bakup.sys [8/24/2011 6:43 PM 38920]
R0 EUBKMON;EUBKMON;c:\windows \system32\ drivers\EU BKMON.sys [8/24/2011 6:43 PM 42376]
R0 SymDS;Symantec Data Store;c:\windows\system32\ drivers\N3 60\0501000 .01D\symds .sys [5/22/2011 10:17 AM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\syst em32\drive rs\N360\05 01000.01D\ symefa.sys [5/22/2011 10:17 AM 744568]
R1 BHDrvx86;BHDrvx86;c:\docum ents and settings\All Users\Application Data\Norton\{0C55C096-0F1D -4F28-AAA2 -85EF59112 6E7}\N360_ 5.0.0.125\ Definition s\BASHDefs \20110812. 001\BHDrvx 86.sys [8/15/2011 6:55 PM 815736]
R1 EUDSKACS;EUDSKACS;c:\windo ws\system3 2\drivers\ eudskacs.s ys [8/24/2011 6:43 PM 16008]
R1 EUFDDISK;EUFDDISK;c:\windo ws\system3 2\drivers\ EuFdDisk.s ys [8/24/2011 6:43 PM 184072]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32 \drivers\N 360\050100 0.01D\iron x86.sys [5/22/2011 10:17 AM 136312]
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2/28/2010 2:33 AM 821664]
R2 DBService;SyncThru Web Admin Service Database Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDatabase.exe [1/16/2006 3:47 PM 114688]
R2 DispatcherServiceNT;SyncTh ru Web Admin Service Dispatcher Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDispatcher.e xe [1/16/2006 3:50 PM 106496]
R2 DMService;SyncThru Web Admin Service Device Manager Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDeviceManage r.exe [1/16/2006 3:47 PM 327680]
R2 EaseUS Agent;EaseUS Agent;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [8/24/2011 6:41 PM 60040]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.1.0.29\ccsv chst.exe [5/22/2011 10:17 AM 130008]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [4/24/2010 1:10 AM 483688]
R2 SLPService;SyncThru Web Admin Service SLP Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSLP.exe [1/16/2006 3:48 PM 110592]
R2 SNMPService;SyncThru Web Admin Service SNMP Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSNMP.exe [1/16/2006 3:48 PM 229376]
R2 WebServiceNT;SyncThru Web Admin Service Web Server;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTWebServer.exe [1/16/2006 3:48 PM 126976]
R2 Windows SteadyState;Windows SteadyState Service;c:\program files\Windows SteadyState\SCTSvc.exe [5/30/2008 2:41 PM 115728]
R3 EraserUtilRebootDrv;Eraser UtilReboot Drv;c:\pro gram files\Common Files\Symantec Shared\EENGINE\EraserUtilR ebootDrv.s ys [7/28/2011 1:17 AM 105592]
R3 IDSxpx86;IDSxpx86;c:\docum ents and settings\All Users\Application Data\Norton\{0C55C096-0F1D -4F28-AAA2 -85EF59112 6E7}\N360_ 5.0.0.125\ Definition s\IPSDefs\ 20110902.0 30\IDSXpx8 6.sys [9/2/2011 4:59 PM 356280]
R3 Sftfs;Sftfs;c:\windows\sys tem32\driv ers\Sftfsx p.sys [12/2/2009 10:23 PM 554344]
R3 Sftplay;Sftplay;c:\windows \system32\ drivers\Sf tplayxp.sy s [12/2/2009 10:23 PM 211432]
R3 Sftredir;Sftredir;c:\windo ws\system3 2\drivers\ Sftredirxp .sys [12/2/2009 10:23 PM 20584]
R3 Sftvol;Sftvol;c:\windows\s ystem32\dr ivers\Sftv olxp.sys [12/2/2009 10:23 PM 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [4/24/2010 1:10 AM 209768]
S2 gupdate1c9ca11c9487ab8;Goo gle Update Service (gupdate1c9ca11c9487ab8);c :\program files\Google\Update\Google Update.exe [4/30/2009 11:03 PM 133104]
S2 HeadlineAlley_29Service;He adlineAlle y Service;c:\progra~1\HEADLI ~2\bar\1.b in\29barsv c.exe [4/5/2011 5:16 PM 36864]
S3 ADM8511;PA090 USB ETHERNET 10/100 ;c:\windows\system32\drive rs\ADM8511 .SYS [9/20/2007 9:44 AM 24745]
S3 GoogleDesktopManager-11030 9-193829;G oogle Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/17/2007 8:12 AM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\Google Update.exe [4/30/2009 11:03 PM 133104]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProte ctionPlatf orm\OSPPSV C.EXE [1/9/2010 9:37 PM 4640000]
S3 SwitchBoard;SwitchBoard;c: \program files\Common Files\Adobe\SwitchBoard\Sw itchBoard. exe [2/19/2010 1:37 PM 517096]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32 \drivers\w dcsam.sys [5/6/2008 4:06 PM 11520]
.
[HKEY_LOCAL_MACHINE\softwa re\microso ft\active setup\installed components\{A509B1FF-37FF- 4bFF-8CFF- 4F3A747040 FF}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpac k.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-02 c:\windows\Tasks\GlaryInit ialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-08-23 23:47]
.
2011-09-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe [2008-04-06 16:28]
.
2011-09-02 c:\windows\Tasks\GoogleUpd ateTaskMac hineCore.j ob
- c:\program files\Google\Update\Google Update.exe [2009-05-01 04:02]
.
2011-09-02 c:\windows\Tasks\GoogleUpd ateTaskMac hineUA.job
- c:\program files\Google\Update\Google Update.exe [2009-05-01 04:02]
.
2011-09-02 c:\windows\Tasks\GoogleUpd ateTaskUse rS-1-5-21- 3306005549 -196121685 3-15501910 55-1006Cor e.job
- c:\documents and settings\mrfec\Local Settings\Application Data\Google\Update\GoogleU pdate.exe [2011-07-13 01:45]
.
2011-09-02 c:\windows\Tasks\GoogleUpd ateTaskUse rS-1-5-21- 3306005549 -196121685 3-15501910 55-1006UA. job
- c:\documents and settings\mrfec\Local Settings\Application Data\Google\Update\GoogleU pdate.exe [2011-07-13 01:45]
.
2011-09-02 c:\windows\Tasks\RealUpgra deLogonTas kS-1-5-21- 3306005549 -196121685 3-15501910 55-1006.jo b
- c:\program files\Real\RealUpgrade\rea lupgrade.e xe [2011-03-29 15:47]
.
2011-09-02 c:\windows\Tasks\RealUpgra deLogonTas kS-1-5-21- 3306005549 -196121685 3-15501910 55-1007.jo b
- c:\program files\Real\RealUpgrade\rea lupgrade.e xe [2011-03-29 15:47]
.
2011-09-02 c:\windows\Tasks\RealUpgra deSchedule dTaskS-1-5 -21-330600 5549-19612 16853-1550 191055-100 6.job
- c:\program files\Real\RealUpgrade\rea lupgrade.e xe [2011-03-29 15:47]
.
2011-09-02 c:\windows\Tasks\RealUpgra deSchedule dTaskS-1-5 -21-330600 5549-19612 16853-1550 191055-100 7.job
- c:\program files\Real\RealUpgrade\rea lupgrade.e xe [2011-03-29 15:47]
.
2011-09-02 c:\windows\Tasks\SDMsgUpda te (TE).job
- c:\progra~1\SMARTD~1\Messa ges\SDNoti fy.exe [2010-11-08 17:29]
.
2011-09-02 c:\windows\Tasks\User_Feed _Synchroni zation-{20 4066F4-AD6 1-46F7-8CA 7-60886C7F A41E}.job
- c:\windows\system32\msfeed ssync.exe [2007-08-13 10:31]
.
2011-09-02 c:\windows\Tasks\{F897AA24 -BDC3-11D1 -B85B-00C0 4FB93981}_ D2TPPPD1_m rfec.job
- c:\windows\system32\mobsyn c.exe [2004-08-10 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070917
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhoto s.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleTo olbarDynam ic_mui_en_ 7461B1589E 8B4FB7.dll /cmsidewik i.html
TCP: DhcpNameServer = 192.168.15.1
DPF: {9EF2BA47-C6A7-470D-9DD9-4 323B0CB835 3} - hxxp://192.168.15.151/WebC lient.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1 DA509E8A01 1} - hxxps://reports.igrs-ips.c om/crystal reportview ers10/Acti veXControl s/ActiveXV iewer.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{08f9937e-0 a4f-48cf-9 4e7-827223 daec1d} - c:\program files\HeadlineAlley_29\bar \1.bin\29S rcAs.dll
BHO-{f5046a39-68f3-4732-99 5f-eb2ea26 d93fb} - (no file)
Toolbar-Locked - (no file)
Toolbar-{f5046a39-68f3-473 2-995f-eb2 ea26d93fb} - (no file)
MSConfigStartUp-%PROVIDERI D% - bin\sprtcmd.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\reals ched.exe
MSConfigStartUp-VRQ Uploader - c:\program files\NortonVRQ\Engine\5.0 .2.7\VRQUp loadFiles. exe
.
.
.
************************** ********** ********** ********** ********** ********
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-02 18:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
************************** ********** ********** ********** ********** ********
.
[HKEY_LOCAL_MACHINE\System \ControlSe t002\Servi ces\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.1.0.29\ccSv cHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.1.0.29\diMa ster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(736)
c:\program files\Citrix\GoToMyPC\G2Wi nLogon.dll
.
- - - - - - - > 'explorer.exe'(4844)
c:\windows\system32\WININE T.dll
c:\progra~1\HEADLI~2\bar\1 .bin\29brs tub.dll
c:\windows\system32\iefram e.dll
c:\windows\system32\webche ck.dll
c:\windows\system32\WPDShS erviceObj. dll
c:\windows\system32\Portab leDeviceTy pes.dll
c:\windows\system32\Portab leDeviceAp i.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponde r.exe
c:\program files\Canon\DIAS\CnxDIAS.e xe
c:\program files\Google\Update\1.3.21 .65\Google CrashHandl er.exe
c:\program files\Java\jre6\bin\jqs.ex e
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLi veShare9.e xe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\Search Indexer.ex e
c:\windows\system32\wscntf y.exe
c:\program files\Yahoo!\SoftwareUpdat e\YahooAUS ervice.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\u nsecapp.ex e
c:\windows\system32\Search ProtocolHo st.exe
c:\windows\system32\Search FilterHost .exe
.
************************** ********** ********** ********** ********** ********
.
Completion time: 2011-09-02 18:21:05 - machine was rebooted
ComboFix-quarantined-files .txt 2011-09-02 23:21
.
Pre-Run: 125,515,988,992 bytes free
Post-Run: 125,519,052,800 bytes free
.
WindowsXP-KB310994-SP2-Hom e-BootDisk -ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdi sk(0)parti tion(2)\WI NDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="M icrosoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)par tition(2)\ WINDOWS="M icrosoft Windows XP Home Edition" /fastdetect /bootlog /NoExecute=OptOut
.
- - End Of File - - 65F1DC7F8116ED068D223BB46A 828273
And here is the Hijackthis log from a scan after combofix as well:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:06:20 PM, on 9/3/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Windows SteadyState\SCTSvc.exe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\SUPERAntiSpyware\SAS CORE.EXE
C:\Program Files\Bonjour\mDNSResponde r.exe
C:\Program Files\Canon\DIAS\CnxDIAS.e xe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDatabase.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDispatcher.e xe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDeviceManage r.exe
C:\Program Files\Java\jre6\bin\jqs.ex e
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSv cHst.exe
C:\Program Files\Google\Update\1.3.21 .65\Google CrashHandl er.exe
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSv cHst.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLi veShare9.e xe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSLP.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSNMP.exe
C:\WINDOWS\system32\svchos t.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTWebServer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\Search Indexer.ex e
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Yahoo!\SoftwareUpdat e\YahooAUS ervice.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1449. 0\mswinext .exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\WINDOWS\system32\wscntf y.exe
C:\Program Files\Microsoft Lync\communicator.exe
C:\Program Files\Windows SteadyState\Bubble.exe
C:\WINDOWS\system32\wbem\u nsecapp.ex e
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxtr ay.exe
C:\WINDOWS\system32\hkcmd. exe
C:\WINDOWS\system32\igfxpe rs.exe
C:\WINDOWS\system32\igfxsr vc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Yahoo!\Common\YMailA dvisor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\DellSupport\DSAgnt.e xe
C:\Program Files\SUPERAntiSpyware\SUP ERAntiSpyw are.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Common Files\InstallShield\Update Service\IS USPM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe
C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe
C:\Documents and Settings\JJAdmin\Desktop\H ijackThis. exe
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Search,Default_Pa ge_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070917
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn2 \yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F A578C2EBDC 3} - C:\Program Files\Common Files\Adobe\Acrobat\Active X\AcroIEHe lperShim.d ll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4 C09146192C A} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\Brows erRecordPl ugin\IE\rp browserrec ordplugin. dll
O2 - BHO: Lync add-on BHO - {31D09BA0-12F5-4CCE-BE8A-2 923E76605D A} - C:\Program Files\Microsoft Lync\OCHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-9 0988571CEC B} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-9 5DAC4DFA40 8} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\coIE Plg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F 4628F01010 C} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\IPS\ IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B 9E3AAC4465 B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.d ll
O2 - BHO: AppGraffiti - {6F6A5334-78E9-4D9B-8182-8 B41EA8C39E F} - C:\PROGRA~1\APPGRA~1\APPGR A~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} - C:\Program Files\Java\jre6\bin\ssv.dl l
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5 164760863C 6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.d ll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C E66B5AD205 D} - C:\Program Files\Google\GoogleToolbar Notifier\5 .7.6406.16 42\swg.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-4 2B3008E02F F} - C:\PROGRA~1\MICROS~2\Offic e14\URLRED IR.DLL
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-0 3dc2f38c34 f} - C:\Program Files\MSN Toolbar\Platform\5.0.1449. 0\npwinext .dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9 C25C1C588A 9} - C:\Program Files\Java\jre6\bin\jp2ssv .dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-D C94EC1ACF1 0} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E ABFE594F69 C} - C:\Program Files\Java\jre6\lib\deploy \jqs\ie\jq s_plugin.d ll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-8 6F7AC24508 1} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn2 \YTSingleI nstance.dl l
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn2 \yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8 A89D322906 8} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\5.0.1449. 0\npwinext .dll,-100 - {8dcb7100-df86-4384-8842-8 fa844297b3 f} - C:\Program Files\MSN Toolbar\Platform\5.0.1449. 0\npwinext .dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-F FB09D4B49C A} - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\coIE Plg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.d ll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec- b109a192b4 c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Bing Bar] "C:\Program Files\MSN Toolbar\Platform\5.0.1449. 0\mswinext .exe"
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Lync\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [Nuance PDF Reader-reminder] "C:\Program Files\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\PDF Reader\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [Logoff] C:\Program Files\Windows SteadyState\SCTUINotify.ex e
O4 - HKLM\..\Run: [Bubble] C:\Program Files\Windows SteadyState\Bubble.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs ync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\upda te\realsch ed.exe" -osboot
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeA RM.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA \UpdaterSt artupUtili ty.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\Sw itchBoard. exe
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceMa nager\CS5. 5ServiceMa nager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] c:\program files\adobe\reader 10.0\reader\reader_sl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr ay.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd. exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpe rs.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailA dvisor.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWa tchTray9.e xe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTA L~1\UPDATE ~1\ISUSPM. exe -startup
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [EaseUs Watch] "C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe"
O4 - HKLM\..\Run: [EaseUs Tray] "C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.e xe" /startup
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP ERAntiSpyw are.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbar Notifier\G oogleToolb arNotifier .exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe " /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\Update Service\IS USPM.exe" -scheduler
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\mrfec\Application Data\mjusbsp\cdloader2.exe " MAGICJACK
O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macro med\Shockw ave 8\PostUpdate.exe" 1014021 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macro med\Shockw ave 8\PostUpdate.exe" 1014021 (User 'Default user')
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\ GPhotos.sc r/200
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleTo olbarDynam ic_mui_en_ 7461B1589E 8B4FB7.dll /cmsidewik i.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre6\bin\jp2iex p.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\jre6\bin\jp2iex p.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B 25EAC5965F 5} - C:\WINDOWS\system32\shdocv w.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B 25EAC5965F 5} - C:\WINDOWS\system32\shdocv w.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D 9FCDDC9D60 0} - C:\Program Files\Windows Live\Writer\WriterBrowserE xtension.d ll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D 9FCDDC9D60 0} - C:\Program Files\Windows Live\Writer\WriterBrowserE xtension.d ll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5 663EE0C6C4 9} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.d ll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5 663EE0C6C4 9} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.d ll
O9 - Extra button: Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2 923E76605D A} - C:\Program Files\Microsoft Lync\OCHelper.dll
O9 - Extra 'Tools' menuitem: Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2 923E76605D A} - C:\Program Files\Microsoft Lync\OCHelper.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-E DE0DB0C95C A} - C:\Program Files\Microsoft Office\Office14\ONBttnIELi nkedNotes. dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-E DE0DB0C95C A} - C:\Program Files\Microsoft Office\Office14\ONBttnIELi nkedNotes. dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f 2ba3849658 3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9EF2BA47-C6A7-470D-9DD9-4 323B0CB835 3} (WebClient Control) - http://192.168.15.151/WebClient.cab
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1 DA509E8A01 1} - https://reports.igrs-ips.com/crystalreportviewers10/ActiveXControls/ActiveXViewer.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1 830C7DD7F5 D} - C:\PROGRA~1\COMMON~1\Skype \SKYPE4~1. DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-0 0B0D022E94 5} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.D LL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS WINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-0 0A0C90312E 1} - C:\WINDOWS\system32\browse ui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3 078302C203 0} - C:\WINDOWS\system32\browse ui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SAS CORE.EXE
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde r.exe
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.e xe
O23 - Service: SyncThru Web Admin Service Database Service (DBService) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDatabase.exe
O23 - Service: SyncThru Web Admin Service Dispatcher Service (DispatcherServiceNT) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDispatcher.e xe
O23 - Service: SyncThru Web Admin Service Device Manager Service (DMService) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDeviceManage r.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc. exe
O23 - Service: EaseUS Agent - CHENGDU YIWO Tech Development Co., Ltd - C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2sv c.exe
O23 - Service: Google Update Service (gupdate1c9ca11c9487ab8) (gupdate1c9ca11c9487ab8) - Google Inc. - C:\Program Files\Google\Update\Google Update.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\Google Update.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: HeadlineAlley Service (HeadlineAlley_29Service) - HeadlineAlley - C:\PROGRA~1\HEADLI~2\bar\1 .bin\29bar svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \1050\Inte l 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex e
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSv cHst.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLi veShare9.e xe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMe diaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWa tch9.exe
O23 - Service: SyncThru Web Admin Service SLP Service (SLPService) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSLP.exe
O23 - Service: SyncThru Web Admin Service SNMP Service (SNMPService) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSNMP.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\Sw itchBoard. exe
O23 - Service: SyncThru Web Admin Service Web Server (WebServiceNT) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTWebServer.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdat e\YahooAUS ervice.exe
--
End of file - 17696 bytes
still can not enable automatic updates,
here is the log, and after that a hijackthis log as well:
ComboFix 11-09-02.04 - JJAdmin 09/02/2011 18:07:08.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.
Running from: c:\documents and settings\JJAdmin\Desktop\C
AV: Live Security Suite *Disabled/Updated* {F5BECBCD-2BE5-47BA-A5C6-F
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-9
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A
.
.
((((((((((((((((((((((((((
.
.
c:\documents and settings\mrfec\20050617143
c:\documents and settings\mrfec\g2mdlhlpx.e
c:\documents and settings\mrfec\gosetup.exe
c:\documents and settings\mrfec\System
c:\documents and settings\mrfec\System\win_
c:\documents and settings\mrfec\WINDOWS
c:\progra~1\HEADLI~2\bar\1
c:\program files\HeadlineAlley_29\bar
c:\program files\HeadlineAlley_29\bar
c:\program files\Object\bho_project.d
c:\windows\MailSwitch.ocx
c:\windows\system32\comct3
c:\windows\system32\restar
c:\windows\system32\win.in
.
.
((((((((((((((((((((((((((
.
.
-------\Legacy_MYWEBSEARCH
-------\Legacy_WEBSERVER
.
.
((((((((((((((((((((((((( Files Created from 2011-08-02 to 2011-09-02 ))))))))))))))))))))))))))
.
.
2011-09-02 22:17 . 2011-09-02 22:20 -------- dc----w- c:\documents and settings\JJAdmin
2011-08-29 14:28 . 2011-08-29 14:28 -------- d-----w- c:\program files\Defraggler
2011-08-28 22:48 . 2011-08-28 22:48 -------- d-----w- c:\program files\Trend Micro
2011-08-27 19:27 . 2010-07-26 18:42 52080 ----a-w- c:\windows\system32\Spool\
2011-08-27 19:27 . 2011-08-27 19:27 -------- dc----w- c:\documents and settings\All Users\Application Data\CitrixLogs
2011-08-27 19:27 . 2010-07-26 18:42 111472 ----a-w- c:\windows\system32\gotomo
2011-08-25 20:46 . 2011-08-25 20:46 -------- d-----w- c:\program files\Microsoft Analysis Services
2011-08-25 20:46 . 2011-08-25 20:52 -------- d-----w- c:\windows\SHELLNEW
2011-08-25 20:44 . 2011-08-25 20:44 -------- dc----r- C:\MSOCache
2011-08-24 23:46 . 2011-08-24 23:46 302592 --sha-w- C:\EUMONBMP.SYS
2011-08-24 23:43 . 2011-08-06 05:52 184072 ----a-w- c:\windows\system32\driver
2011-08-24 23:43 . 2011-08-06 05:52 16008 ----a-w- c:\windows\system32\driver
2011-08-24 23:43 . 2011-08-06 05:52 38920 ----a-w- c:\windows\system32\driver
2011-08-24 23:43 . 2011-08-06 05:52 42376 ----a-w- c:\windows\system32\driver
2011-08-24 23:41 . 2011-08-06 05:52 20616 ----a-w- c:\windows\system32\fbnati
2011-08-24 23:41 . 2011-08-24 23:41 -------- d-----w- c:\program files\EaseUS
2011-08-23 14:25 . 2011-08-23 14:25 -------- dc----w- c:\documents and settings\All Users\Application Data\MemeoCommon
2011-08-23 14:24 . 2011-08-23 14:24 -------- d-----w- c:\documents and settings\LocalService\Loca
2011-08-23 14:23 . 2011-08-23 14:29 -------- d-----w- c:\program files\Memeo
2011-08-23 02:41 . 2011-07-07 00:52 41272 ----a-w- c:\windows\system32\driver
2011-08-23 02:41 . 2011-08-23 02:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-23 02:41 . 2011-07-07 00:52 22712 ----a-w- c:\windows\system32\driver
2011-08-23 02:01 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcac
2011-08-23 02:01 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcac
2011-08-23 01:09 . 2011-08-23 01:09 -------- d-----w- c:\program files\Glary Utilities
2011-08-23 01:03 . 2011-08-23 01:03 -------- d-----w- c:\program files\CCleaner
2011-08-10 19:08 . 2011-08-10 19:08 -------- d-----w- c:\program files\W3i
.
.
.
((((((((((((((((((((((((((
.
2011-09-02 22:12 . 2010-06-12 15:50 256 ----a-w- c:\documents and settings\mrfec\pool.bin
2011-07-15 13:29 . 2004-08-10 17:51 456320 ----a-w- c:\windows\system32\driver
2011-07-08 14:02 . 2004-08-10 17:51 10496 ----a-w- c:\windows\system32\driver
2011-07-07 18:08 . 2011-07-18 13:13 17280 ----a-w- c:\windows\system32\roboot
2011-06-24 14:10 . 2004-08-10 18:01 139656 ----a-w- c:\windows\system32\driver
2011-06-23 18:36 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\winine
2011-06-23 18:36 . 2004-08-10 17:51 43520 ------w- c:\windows\system32\licmgr
2011-06-23 18:36 . 2004-08-10 17:51 1469440 ----a-w- c:\windows\system32\inetcp
2011-06-23 12:05 . 2004-08-10 17:51 385024 ------w- c:\windows\system32\html.i
2011-06-20 17:44 . 2004-08-10 17:51 293376 ----a-w- c:\windows\system32\winsrv
.
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Brow
.
[HKEY_CURRENT_USER\SOFTWAR
"DellSupport"="c:\program files\DellSupport\DSAgnt.e
.
[HKEY_LOCAL_MACHINE\SOFTWA
"{0228e555-4f9c-4e35-a3ec-
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1449.
"Communicator"="c:\program
"HeadlineAlley_29 Browser Plugin Loader"="c:\progra~1\HEADL
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.
"Nuance PDF Reader-reminder"="c:\progr
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"Logoff"="c:\program files\Windows SteadyState\SCTUINotify.ex
"Bubble"="c:\program files\Windows SteadyState\Bubble.exe" [2008-05-30 182288]
"Synchronization Manager"="c:\windows\syste
"TkBellExe"="c:\program files\real\realplayer\upda
"Adobe ARM"="c:\program files\common files\adobe\arm\1.0\adobea
"AdobeAAMUpdater-1.0"="c:\
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\Sw
"AdobeCS5.5ServiceManager"
"Adobe Reader Speed Launcher"="c:\program files\adobe\reader 10.0\reader\reader_sl.exe"
"EaseUs Watch"="c:\program files\EaseUS\Todo Backup\bin\EuWatch.exe" [2011-08-06 70792]
"EaseUs Tray"="c:\program files\EaseUS\Todo Backup\bin\TrayNotify.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe
.
[HKEY_USERS\.DEFAULT\Softw
"SWHelper"="c:\windows\sys
.
[HKEY_LOCAL_MACHINE\softwa
"HideFastUserSwitching"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\softwa
"NoAutoUpdate"= 1 (0x1)
.
[hkey_local_machine\softwa
"{56F9679E-7826-4C84-81F3-
.
[HKEY_LOCAL_MACHINE\softwa
2010-07-26 18:42 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2Wi
.
[HKEY_LOCAL_MACHINE\SYSTEM
@="Service"
.
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAf
backup=c:\windows\pss\McAf
.
[HKLM\~\startupfolder\C:^D
backup=c:\windows\pss\Wind
.
[HKLM\~\startupfolder\C:^D
backup=c:\windows\pss\Open
HKEY_LOCAL_MACHINE\softwar
HKEY_LOCAL_MACHINE\softwar
HKEY_LOCAL_MACHINE\softwar
.
[HKEY_LOCAL_MACHINE\softwa
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeA
.
[HKEY_LOCAL_MACHINE\softwa
2010-03-11 03:32 648536 -c--a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\softwa
2011-05-16 12:50 50592 ----a-w- c:\documents and settings\mrfec\Application
.
[HKEY_LOCAL_MACHINE\softwa
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon
.
[HKEY_LOCAL_MACHINE\softwa
2007-03-15 17:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.e
.
[HKEY_LOCAL_MACHINE\softwa
2010-01-07 17:10 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\softwa
2010-05-09 16:23 161336 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe
.
[HKEY_LOCAL_MACHINE\softwa
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\softwa
2007-08-30 15:50 205480 ----a-w- c:\program files\Common Files\InstallShield\Update
.
[HKEY_LOCAL_MACHINE\softwa
2007-08-30 15:50 205480 ----a-w- c:\progra~1\COMMON~1\INSTA
.
[HKEY_LOCAL_MACHINE\softwa
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\softwa
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\softwa
2008-09-19 15:37 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWa
.
[HKEY_LOCAL_MACHINE\softwa
2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\softwa
2008-04-13 19:17 68856 ----a-w- c:\program files\Google\GoogleToolbar
.
[HKEY_LOCAL_MACHINE\softwa
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsyn
.
[HKEY_LOCAL_MACHINE\softwa
2008-06-05 22:06 125208 ----a-w- c:\program files\Yahoo!\Common\YMailA
.
[HKEY_LOCAL_MACHINE\softwa
2005-07-15 21:48 479232 ----a-w- c:\program files\Google\Gmail Notifier\gnotify.exe
.
[HKEY_LOCAL_MACHINE\softwa
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\softwa
"AVPath"="\\\\.\\root\\Sec
.
[HKLM\~\services\sharedacc
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedacc
"c:\\WINDOWS\\system32\\se
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUpnpService9.exe"=
"c:\\Program Files\\Rhapsody\\rhapsody.
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.e
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSyn
"c:\\Documents and Settings\\mrfec\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.e
"c:\\Program Files\\Bonjour\\mDNSRespon
"c:\\Program Files\\Microsoft Lync\\UcMapi.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.
"c:\\Documents and Settings\\mrfec\\Applicati
"c:\\Program Files\\Microsoft Lync\\communicator.exe"=
.
[HKLM\~\services\sharedacc
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2
"8085:TCP"= 8085:TCP:HASP Port
.
R0 EUBAKUP;EUBAKUP;c:\windows
R0 EUBKMON;EUBKMON;c:\windows
R0 SymDS;Symantec Data Store;c:\windows\system32\
R0 SymEFA;Symantec Extended File Attributes;c:\windows\syst
R1 BHDrvx86;BHDrvx86;c:\docum
R1 EUDSKACS;EUDSKACS;c:\windo
R1 EUFDDISK;EUFDDISK;c:\windo
R1 SymIRON;Symantec Iron Driver;c:\windows\system32
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2/28/2010 2:33 AM 821664]
R2 DBService;SyncThru Web Admin Service Database Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDatabase.exe
R2 DispatcherServiceNT;SyncTh
R2 DMService;SyncThru Web Admin Service Device Manager Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDeviceManage
R2 EaseUS Agent;EaseUS Agent;c:\program files\EaseUS\Todo Backup\bin\Agent.exe [8/24/2011 6:41 PM 60040]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.1.0.29\ccsv
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [4/24/2010 1:10 AM 483688]
R2 SLPService;SyncThru Web Admin Service SLP Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSLP.exe [1/16/2006 3:48 PM 110592]
R2 SNMPService;SyncThru Web Admin Service SNMP Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSNMP.exe [1/16/2006 3:48 PM 229376]
R2 WebServiceNT;SyncThru Web Admin Service Web Server;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTWebServer.exe [1/16/2006 3:48 PM 126976]
R2 Windows SteadyState;Windows SteadyState Service;c:\program files\Windows SteadyState\SCTSvc.exe [5/30/2008 2:41 PM 115728]
R3 EraserUtilRebootDrv;Eraser
R3 IDSxpx86;IDSxpx86;c:\docum
R3 Sftfs;Sftfs;c:\windows\sys
R3 Sftplay;Sftplay;c:\windows
R3 Sftredir;Sftredir;c:\windo
R3 Sftvol;Sftvol;c:\windows\s
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [4/24/2010 1:10 AM 209768]
S2 gupdate1c9ca11c9487ab8;Goo
S2 HeadlineAlley_29Service;He
S3 ADM8511;PA090 USB ETHERNET 10/100 ;c:\windows\system32\drive
S3 GoogleDesktopManager-11030
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\Google
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProte
S3 SwitchBoard;SwitchBoard;c:
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32
.
[HKEY_LOCAL_MACHINE\softwa
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpac
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-02 c:\windows\Tasks\GlaryInit
- c:\program files\Glary Utilities\initialize.exe [2011-08-23 23:47]
.
2011-09-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google
.
2011-09-02 c:\windows\Tasks\GoogleUpd
- c:\program files\Google\Update\Google
.
2011-09-02 c:\windows\Tasks\GoogleUpd
- c:\program files\Google\Update\Google
.
2011-09-02 c:\windows\Tasks\GoogleUpd
- c:\documents and settings\mrfec\Local Settings\Application Data\Google\Update\GoogleU
.
2011-09-02 c:\windows\Tasks\GoogleUpd
- c:\documents and settings\mrfec\Local Settings\Application Data\Google\Update\GoogleU
.
2011-09-02 c:\windows\Tasks\RealUpgra
- c:\program files\Real\RealUpgrade\rea
.
2011-09-02 c:\windows\Tasks\RealUpgra
- c:\program files\Real\RealUpgrade\rea
.
2011-09-02 c:\windows\Tasks\RealUpgra
- c:\program files\Real\RealUpgrade\rea
.
2011-09-02 c:\windows\Tasks\RealUpgra
- c:\program files\Real\RealUpgrade\rea
.
2011-09-02 c:\windows\Tasks\SDMsgUpda
- c:\progra~1\SMARTD~1\Messa
.
2011-09-02 c:\windows\Tasks\User_Feed
- c:\windows\system32\msfeed
.
2011-09-02 c:\windows\Tasks\{F897AA24
- c:\windows\system32\mobsyn
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070917
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhoto
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleTo
TCP: DhcpNameServer = 192.168.15.1
DPF: {9EF2BA47-C6A7-470D-9DD9-4
DPF: {A1B8A30B-8AAA-4A3E-8869-1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{08f9937e-0
BHO-{f5046a39-68f3-4732-99
Toolbar-Locked - (no file)
Toolbar-{f5046a39-68f3-473
MSConfigStartUp-%PROVIDERI
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\reals
MSConfigStartUp-VRQ Uploader - c:\program files\NortonVRQ\Engine\5.0
.
.
.
**************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-02 18:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************
.
[HKEY_LOCAL_MACHINE\System
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.1.0.29\ccSv
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(736)
c:\program files\Citrix\GoToMyPC\G2Wi
.
- - - - - - - > 'explorer.exe'(4844)
c:\windows\system32\WININE
c:\progra~1\HEADLI~2\bar\1
c:\windows\system32\iefram
c:\windows\system32\webche
c:\windows\system32\WPDShS
c:\windows\system32\Portab
c:\windows\system32\Portab
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponde
c:\program files\Canon\DIAS\CnxDIAS.e
c:\program files\Google\Update\1.3.21
c:\program files\Java\jre6\bin\jqs.ex
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLi
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\Search
c:\windows\system32\wscntf
c:\program files\Yahoo!\SoftwareUpdat
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\u
c:\windows\system32\Search
c:\windows\system32\Search
.
**************************
.
Completion time: 2011-09-02 18:21:05 - machine was rebooted
ComboFix-quarantined-files
.
Pre-Run: 125,515,988,992 bytes free
Post-Run: 125,519,052,800 bytes free
.
WindowsXP-KB310994-SP2-Hom
[boot loader]
timeout=2
default=multi(0)disk(0)rdi
[operating systems]
c:\cmdcons\BOOTSECT.DAT="M
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)par
.
- - End Of File - - 65F1DC7F8116ED068D223BB46A
And here is the Hijackthis log from a scan after combofix as well:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:06:20 PM, on 9/3/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Windows SteadyState\SCTSvc.exe
C:\WINDOWS\system32\spools
C:\Program Files\SUPERAntiSpyware\SAS
C:\Program Files\Bonjour\mDNSResponde
C:\Program Files\Canon\DIAS\CnxDIAS.e
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDatabase.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDispatcher.e
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDeviceManage
C:\Program Files\Java\jre6\bin\jqs.ex
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSv
C:\Program Files\Google\Update\1.3.21
C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSv
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLi
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSLP.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSNMP.exe
C:\WINDOWS\system32\svchos
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTWebServer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\Search
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Yahoo!\SoftwareUpdat
C:\Program Files\MSN Toolbar\Platform\5.0.1449.
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\WINDOWS\system32\wscntf
C:\Program Files\Microsoft Lync\communicator.exe
C:\Program Files\Windows SteadyState\Bubble.exe
C:\WINDOWS\system32\wbem\u
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxtr
C:\WINDOWS\system32\hkcmd.
C:\WINDOWS\system32\igfxpe
C:\WINDOWS\system32\igfxsr
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Yahoo!\Common\YMailA
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\DellSupport\DSAgnt.e
C:\Program Files\SUPERAntiSpyware\SUP
C:\WINDOWS\system32\ctfmon
C:\Program Files\Common Files\InstallShield\Update
C:\WINDOWS\explorer.exe
C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe
C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe
C:\Documents and Settings\JJAdmin\Desktop\H
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-F
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4
O2 - BHO: Lync add-on BHO - {31D09BA0-12F5-4CCE-BE8A-2
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-9
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-9
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B
O2 - BHO: AppGraffiti - {6F6A5334-78E9-4D9B-8182-8
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-4
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-0
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-D
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-E
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-8
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8
O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\5.0.1449.
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-F
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-
O4 - HKLM\..\Run: [Bing Bar] "C:\Program Files\MSN Toolbar\Platform\5.0.1449.
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Lync\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [Nuance PDF Reader-reminder] "C:\Program Files\Nuance\PDF Reader\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\PDF Reader\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [Logoff] C:\Program Files\Windows SteadyState\SCTUINotify.ex
O4 - HKLM\..\Run: [Bubble] C:\Program Files\Windows SteadyState\Bubble.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobs
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\upda
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeA
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\Sw
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager]
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] c:\program files\adobe\reader 10.0\reader\reader_sl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [YMailAdvisor] "C:\Program Files\Yahoo!\Common\YMailA
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWa
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTA
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [EaseUs Watch] "C:\Program Files\EaseUS\Todo Backup\bin\EuWatch.exe"
O4 - HKLM\..\Run: [EaseUs Tray] "C:\Program Files\EaseUS\Todo Backup\bin\TrayNotify.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.e
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbar
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\Update
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\mrfec\Application
O4 - HKUS\S-1-5-18\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macro
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - HKUS\.DEFAULT\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macro
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleTo
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5
O9 - Extra button: Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2
O9 - Extra 'Tools' menuitem: Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-E
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-E
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {9EF2BA47-C6A7-470D-9DD9-4
O16 - DPF: {A1B8A30B-8AAA-4A3E-8869-1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-0
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-0
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SAS
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde
O23 - Service: Canon Driver Information Assist Service - CANON INC. - C:\Program Files\Canon\DIAS\CnxDIAS.e
O23 - Service: SyncThru Web Admin Service Database Service (DBService) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDatabase.exe
O23 - Service: SyncThru Web Admin Service Dispatcher Service (DispatcherServiceNT) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDispatcher.e
O23 - Service: SyncThru Web Admin Service Device Manager Service (DMService) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvDeviceManage
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.
O23 - Service: EaseUS Agent - CHENGDU YIWO Tech Development Co., Ltd - C:\Program Files\EaseUS\Todo Backup\bin\Agent.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2sv
O23 - Service: Google Update Service (gupdate1c9ca11c9487ab8) (gupdate1c9ca11c9487ab8) - Google Inc. - C:\Program Files\Google\Update\Google
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\Google
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: HeadlineAlley Service (HeadlineAlley_29Service) - HeadlineAlley - C:\PROGRA~1\HEADLI~2\bar\1
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.ex
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\5.1.0.29\ccSv
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLi
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWa
O23 - Service: SyncThru Web Admin Service SLP Service (SLPService) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSLP.exe
O23 - Service: SyncThru Web Admin Service SNMP Service (SNMPService) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTSrvSNMP.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\Sw
O23 - Service: SyncThru Web Admin Service Web Server (WebServiceNT) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\WSTWebServer.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdat
--
End of file - 17696 bytes
Just for fun (cuz this is just so much fun, right?) try running HitManPro.
MalwareBytes is excellent at detecting malware/grayware, etc, but this is the only program I've found so far that is good at looking for rootkit viruses.
MalwareBytes is excellent at detecting malware/grayware, etc, but this is the only program I've found so far that is good at looking for rootkit viruses.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Its good that you spent so much hours to analyze and repair system from Viruses. you have learned many things from this. Its seems that malware has been removed and but its entries are still remain. which is very difficult to determine where virus made those entries. In this situation if you can repair your pc without format then may be entries would be gone. otherwise you can restore registry by manually. and also do SFC /scannow to check system files :- Sfc /scannow will inspect all of the important Windows files on your computer, including Windows DLL files. If System File Checker finds an issue with any of these protected files, it will replace it.
How to Restore the Registry Hives From a System Restore Snapshot in Windows XP
Part I
Start Windows XP Recovery Console.
Copy the five registry hives (SYSTEM, SOFTWARE, SAM, SECURITY, DEFAULT) from C:\Windows\System32\Config to C:\Windows\Tmp, adding the .bak extension.
Delete the five registry hives from C:\Windows\System32\Config
Copy the five registry hives from C:\Windows\Repair folder to C:\Windows\System32\Config
With this done, you should be able to start Windows XP using the registry that was created during the initial setup of Windows XP. As a result, any changes and settings that occurred after the Setup program was finished are lost.
If you notice the your system not able to boot after restoring registry then again Copy the all registry hives from C:\Windows\Tmp to C:\Windows\System32\Config
change the extension .bak
How to Restore the Registry Hives From a System Restore Snapshot in Windows XP
Part I
Start Windows XP Recovery Console.
Copy the five registry hives (SYSTEM, SOFTWARE, SAM, SECURITY, DEFAULT) from C:\Windows\System32\Config
Delete the five registry hives from C:\Windows\System32\Config
Copy the five registry hives from C:\Windows\Repair folder to C:\Windows\System32\Config
With this done, you should be able to start Windows XP using the registry that was created during the initial setup of Windows XP. As a result, any changes and settings that occurred after the Setup program was finished are lost.
If you notice the your system not able to boot after restoring registry then again Copy the all registry hives from C:\Windows\Tmp to C:\Windows\System32\Config
change the extension .bak
ASKER
Thank you all for your suggestions.
I split the points among those that gave me info that got me started.
The first few scans removed most if not all of the real issues, what was left was taking care of the broken parts of Windows XP Home. A helper from bleepingcomputer guided me though the rest. My friend lucked out in that it was not damaged beyond repair (and I am crazy enough to try it). It did take me a good 24 to 36 hours of work (this includes scan time).
Learned alot, and again, thank you alll!
I split the points among those that gave me info that got me started.
The first few scans removed most if not all of the real issues, what was left was taking care of the broken parts of Windows XP Home. A helper from bleepingcomputer guided me though the rest. My friend lucked out in that it was not damaged beyond repair (and I am crazy enough to try it). It did take me a good 24 to 36 hours of work (this includes scan time).
Learned alot, and again, thank you alll!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix